1. Field of the Invention
This invention relates to a cryptographic key recovery system and, more particularly, to achieving interoperability between systems that are enabled for, and unaware of, cryptographic key recovery.
2. Description of the Related Art
Copending U.S. Patent Application filed herewith, Ser. No. 09/224,892, entitled “Apparatus, Method, And Computer Program Product For High-Availability Multi-Agent Cryptographic Key Recovery,” filed Dec. 31, 1998 assigned to the International Business Machines Corporation, is incorporated herein by reference. This cited patent application describes a key recovery system using multiple key recovery agents.
Copending U.S. Patent Application of D. B. Johnson et al., Ser. No. 08/629,815, filed Apr. 10, 1996, entitled “Cryptographic Key Recovery System” (“Johnson et al. I”), assigned to the International Business Machines Corporation, is incorporated herein by reference. This cited patent application describes a key recovery system using multiple key recovery agents.
Copending U.S. Patent Application of D. B. Johnson et al., Ser. No. 08/681,629, filed Jul. 29, 1996, entitled “Interoperable Cryptographic Key Recovery System” (“Johnson et al. II”), assigned to the International Business Machines Corporation, is incorporated herein by reference. This cited patent application describes another key recovery system.
Copending U.S. Patent Application of S. Chandersekaran et al., Ser. No. 08/971,204, filed Nov. 14, 1997, entitled “Frame-Work Based Cryptographic Key Recovery System” (“Chandersekaran et al.”), assigned to the International Business Machines Corporation, is incorporated herein by reference. This cited patent application describes a key recovery system.
U.S. Pat. No. 6,058,188, entitled Method and Apparatus for Interoperable Validation for Key Recovery Information in a Cryptographic System” (Chandersekaran et al.) assigned to the International Business Machine Corp. is incorporated herein by reference. This cited patent describes a key recovery system.
Data encryption systems are well known in the data processing art. In general, such systems operate by performing an encryption operation on a plaintext input block, using an encryption key, to produce a ciphertext output block. The receiver of an encrypted message performs a corresponding decryption operation, using a decryption key, to recover the plaintext block.
Encryption systems fall into two general categories. Symmetric (or private key) encryption systems such as the Data Encryption Standard (DES) system use the same secret key for both encrypting and decrypting messages. In the DES system, a key having 56 independently specifiable bits is used to convert 64-bit plaintext blocks to ciphertext blocks, or vice versa.
Asymmetric (or public key) encryption systems, on the other hand, use different keys that are not feasibly derivable from one another for encryption and decryption. A person wishing to receive messages generates a pair of corresponding encryption and decryption keys. The encryption key is made public, while the corresponding decryption key is kept secret. Anyone wishing to communicate with the receiver may encrypt a message using the receiver's public key. Only the receiver may decrypt the message, however, since only he has the private key. Perhaps the best-known asymmetric encryption system is the RSA encryption system, named after its originators Rivest, Shamir and Adleman.
Asymmetric encryption systems are generally more computationally intensive than symmetric encryption systems, but have the advantage that they do not require a secure channel for the transmission of encryption keys. For this reason, asymmetric encryption systems are often used for the one-time transport of highly sensitive data such as symmetric encryption keys.
Data encryption systems of all types have attracted the attention of government intelligence agencies and law enforcement agencies because the same cryptographic strength that prevents decryption by unauthorized third parties also prevents decryption by intelligence or law enforcement officials having a legitimate reason for wanting to access the plaintext data. Because of such concerns, governments have either prohibited the use or export of strong encryption systems or have conditioned their approval on the use of weakened keys that are susceptible to key-exhaustion attacks (that is, systematically testing all possible keys until the right one is found). Such weak encryption systems have the obvious disadvantage that they are just as vulnerable to unauthorized third parties as they are to authorized government officials.
Various cryptographic key recovery systems have recently been proposed as a compromise between the demands of communicating parties for privacy in electronic communications and the demands of law enforcement agencies for access to such communications when necessary to uncover crimes or threats to national security. Generally, in such key recovery systems, all or part of the key used by the communicating parties is made available to one or more key recovery agents, either by actually giving the key portions to the key recovery agents (in which case the key portions are said to be “escrowed”) or by providing sufficient information in the communication itself (as by encrypting the key portions) to allow the key recovery agents to regenerate the key portions. Key recovery agents would reveal the escrowed or regenerated key portions to a requesting law enforcement agent only upon presentation of proper evidence of authority, such as a court order authorizing the interception. The use of multiple key recovery agents, all of which must cooperate to recover the key, minimizes the possibility that a law enforcement agent can improperly recover a key by using a corrupt key recovery agent.
Key recovery systems serve the communicants' interest in privacy, since their encryption system retains its full strength against third parties and does not have to be weakened to comply with domestic restrictions on encryption or to meet export requirements. At the same time, key recovery systems serve the legitimate needs of law enforcement by permitting the interception of encrypted communications in circumstances where unencrypted communications have previously been intercepted (such as where a court order has been obtained).
In addition to serving the needs of law enforcement, key recovery systems find application in purely private contexts. Thus, organizations may be concerned about employees using strong encryption of crucial files where keys are not recoverable. Loss of keys may result in loss of important stored data.
The term “key recovery” encompasses mechanisms that allow authorized third parties to retrieve the cryptographic keys used for data confidentiality, with the ultimate goal of recovery of encrypted data. There are two classes of key recovery mechanisms based on the ways keys are held to enable key recovery: key escrow and key encapsulation. Key escrow techniques are based on the paradigm that the government or a trusted third party called an “escrow agent,” holds the actual user keys or portions thereof. Key encapsulation techniques, on the other hand, are based on the paradigm that a cryptographically encapsulated form of the key is made available to third parties that require key recovery; the encapsulation technique ensures that only certain trusted third parties called “recovery agents” can perform the unwrap operation to retrieve the key material buried inside. There may also be hybrid schemes that use some escrow mechanisms in addition to encapsulation mechanisms.
An orthogonal way to classify key recovery mechanisms is based on the nature of the key that is either escrowed or encapsulated. Some schemes rely on the escrow or encapsulation of long-term keys, such as private keys, while other schemes are based on the escrow or encapsulation of ephemeral keys such as session keys.
Since escrow schemes involve the actual archival of keys, they typically deal with long-term keys, in order to avoid the proliferation problem that arises when trying to archive myriad ephemeral keys. These long-term “escrowed” keys are then used to retrieve the ephemeral keys used for data confidentiality.
Key encapsulation techniques can also choose to archive the encapsulated keys, but usually they do not. Instead, these techniques usually operate on the ephemeral keys, and associate the encapsulated key with the actual enciphered message and thereby dispense with the archival process. The encapsulated key is put into a key recovery block that is generated by the party performing the data encryption, and associated with the encrypted data. To ensure the transmission and the integrity of the key recovery block, it may be required for processing by the party performing the data decryption. The processing mechanism ensures that successful data decryption cannot occur unless the key recovery block is processed successfully. Since the key recovery block has to be associated with the cryptographic session in some way, key encapsulation schemes may require the perturbation of the communication protocol used.
The process of cryptographic key recovery involves two major phases. First, parties that are involved in cryptographic associations have to perform an operation to enable key recovery (such as the escrow of use keys, or the generation of key recovery blocks, etc.)—this is typically called the “key recovery enablement” phase. Next, authorized third parties that desire to recover the data keys do so with the help of a recovery server and one or more escrow agents or recovery agents; this is the actual “key recovery service” phase.
As key recovery systems proliferate, they will be required to communicate with systems that do not employ key recovery. Such systems may not be able to process a key recovery block, or may even experience a protocol failure upon receipt of a key recovery block. For purposes of discussion, systems are grouped into three categories: key recovery aware, key recovery enabled, and key recovery unaware. A key recovery enabled system can generate a key recovery block, can decode a received key recovery block to verify its integrity, and can process a received key recovery block to obtain the information in the key recovery field of the block. A key recovery aware system can verify the integrity of a received key recovery block, but cannot process a received key recovery block to obtain the information in the key recovery field of the block. A key recovery unaware system is one that can not receive a key recovery block without experiencing failure.
In general, systems that are either key recovery aware or key recovery enabled exchange key recovery blocks at the application layer (for example, OSI layer 7). However, to achieve interoperability between these systems and key recovery unaware systems at the application layer, it would be necessary to modify the application layer protocol. This approach suffers from two distinct disadvantages. First, such a protocol modification would require large scale development and universal acceptance. Second, such modification would require approval by the cognizant standards organization. Neither of these scenarios is likely.